liminfo

Ghidra Reference

Free reference guide: Ghidra Reference

26 results

About Ghidra Reference

This Ghidra Reference is a searchable cheat sheet for the NSA Ghidra reverse engineering framework. It covers disassembly navigation shortcuts (Go to address, Rename label, Search memory), decompiler window operations (retype variables, edit function signatures), and Ghidra Python scripting APIs (currentProgram, getFunctionManager, getBytes, getReferencesTo).

The reference also includes auto analysis options, function graph visualization, symbol table browsing, data type management (create structures, parse C headers, apply complex types), and binary patching workflows (patch instructions, patch data bytes, export patched binaries).

Designed for malware analysts, vulnerability researchers, firmware reverse engineers, and CTF players who need instant lookup of Ghidra keyboard shortcuts, scripting snippets, and analysis techniques without leaving their browser.

Key Features

  • Complete Ghidra keyboard shortcuts for disassembly navigation and label renaming
  • Decompiler reference covering variable retyping, renaming, and function signature editing
  • Ghidra Python scripting examples with currentProgram, getFunctionManager, and getReferencesTo
  • Auto analysis configuration options including Decompiler Parameter ID and Aggressive Instruction Finder
  • Data type management guide for creating structures, parsing C headers, and applying types to memory
  • Binary patching workflow from instruction patching to exporting modified binaries
  • Function graph, symbol table, and program tree navigation reference
  • Filterable by category: Disassembly, Decompile, Scripting, Analysis, Data Types, Patching

Frequently Asked Questions

What Ghidra shortcuts does this reference cover?

This reference covers essential Ghidra shortcuts including G (go to address), L (rename label), Ctrl+Shift+F (memory search), semicolon (add comments), Ctrl+E (export), Ctrl+L (retype variable in decompiler), Ctrl+Shift+E (edit function signature), and T (apply data type).

How do I use the Ghidra decompiler effectively?

Open the Decompiler window from Window menu, select a function to see auto-generated C-style pseudocode. Use Ctrl+L to retype variables (e.g., uint to char*), L to rename variables (e.g., param_1 to buffer), and Ctrl+Shift+E to edit function signatures with proper types and parameter names.

What Ghidra Python scripting APIs are included?

The reference includes core Ghidra Python APIs: currentProgram for accessing the loaded binary, getFunctionManager() for iterating over functions, getBytes() for reading memory content, and getReferencesTo() for finding cross-references to specific addresses. Each entry includes ready-to-use code snippets.

How do I patch binaries in Ghidra?

Use Ctrl+Shift+G to patch instructions by entering assembly code (nop, jmp, mov eax, 1). Right-click and select Patch Data to modify byte values directly. After patching, export the modified binary via File, Export Program, Binary to save in the original format.

What analysis features does Ghidra offer?

Ghidra provides Auto Analysis with configurable options (Decompiler Parameter ID, Aggressive Instruction Finder, Create Address Tables), Function Graph for visualizing control flow, Symbol Table for searching all functions and labels, Data Type Manager for struct/enum management, and Program Trees for section browsing.

How do I manage data types and structures in Ghidra?

Press T to apply data types (byte, word, dword, string). Use Data Type Manager to create new structures and parse C header files for automatic struct/enum generation. Apply complex types to memory regions by right-clicking and selecting Data then Choose Data Type.

Can I import C header files into Ghidra?

Yes, use File then Parse C Source to load .h files. Ghidra automatically generates structures, enums, and typedefs from the parsed headers. These types can then be applied to memory regions and used in the decompiler view for more readable pseudocode.

Is this Ghidra reference free to use?

Yes, this Ghidra cheat sheet is completely free with no account required. All content is displayed in your browser with instant search and category filtering. It is part of liminfo.com's collection of free developer and security reference tools.